C0Wking

**Name of the Vulnerable Software and Affected Versions** ERPNext versions prior to 15.103.2 **Description** Server-Side Template Injection (SSTI) occurs when an attacker with permissions to create or edit email templates injects template expressions. These expressions are executed on the server during the template rendering process. **Recommendations** Update to a version later than 15.103.1.

**Name of the Vulnerable Software and Affected Versions** ERPNext versions prior to 15.103.2 **Description** The Email Template engine allows an attacker with permissions to create or edit email templates to inject malicious JavaScript code. This code is executed in the victim's browser when the template is applied. Cross Site Scripting (XSS) is a flaw where malicious scripts are injected into otherwise trusted websites. **Recommendations** Update to a version newer than 15.103.1.